• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

security roles and the struts logic:present tag

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am building a web application that requires a couple of security roles for logged in users. they can either be logged in as admin staff or as nursing staff.
i know that struts supports some form of roles based logic bacuse there is the <logic resent role="..."> tag.
but where do I specify these roles and how do I relate them to the user object I put into the session when that user logs in?
 
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Another more centralized technique available to you in Struts 1.1 is to specify roles in your struts-config.xml. For example, if you want to control the execution of a certain Struts action, you can assign roles to it as in the following example:

This tag has the 'roles' attribute assigned with a value of 'Administrator'. Only Administrators can rule this method. A nice feature!
Darryl
 
dave sag
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's really cool.
so I specify my roles in web.xml as securoty-constraints?
where do I map these roles to my user objects? sorry if i sound confused.
dave
 
Darryl A. J. Staflund
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, just specify your security roles in the web.xml file like you would for any servlet application.
 
Darryl A. J. Staflund
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I didn't see your second question about where you associate roles with objects. When you use the roles attribute with the action tag, you're associating roles with actions, not with objects.
BTW, you can use a comma-delimited list to specify multiple roles for an action (ex: roles="a,b,c").
Cheers,
Darryl
 
dave sag
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Okay I get all that. What I am unclear on is how I associate the roles with acual user objects?
I have an Employee object. should it have a corresponding role field? when i log the user in I put a UserSummaryBean in the session under a Global.USER_KEY (of my own creation). Should that user summary bean have a getRole() method? how do the present tags know my user is under that key and has that role? or is there a standard key i should use and a standard user object i should associate with that key?
dave
 
Darryl A. J. Staflund
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you talking about role-based authorization (i.e. no administrators (role) can access the bean), or are you talking about user-based authorization (i.e. the "ab989" account can't access the bean)?
If you're concerned with role-based authentication, then the logic forms you refer to should be able to do the job since they refer to roles.
If you're concerned with user-based authentication, I don't know of any out-of-the-box way of having Struts check for it. You should be able to subclass the Struts bean that implements the particular logic tag that you want to use to perform the security check and then override the security method with your own code.
Darryl
 
dave sag
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
right. so there is no standard way to connect the roles to users then? damn.
i was hoping there's be some way I could tell tomcat that when I say user I mean a com.x.UserSummaryBean and because that has a getRoles() method I'd then just be able to use the logic tags without having to muck about.
ah well. such is life i guess.
 
Darryl A. J. Staflund
Ranch Hand
Posts: 314
2
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,
Connect roles to users, eh? How do you handle your authentication? If you're using JAAS then when a user logs onto an account all the roles associated with the account are kept in memory for the duration of the session. I am not sure how you access this information from within JBoss but there has got to be a way.
The JBoss Security forums might have more information on this.
Hope this helps.
Darryl
 
dave sag
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The big defect I see with the whole tomcat users and roles setup is that you have to specify your role and user sources in a file that is global to tomcat and not local to the webapp you are concerned with. as a developer i have all manner of webapps running on my machine, and don't want to have to go swapping server.xml files about all the time.
so i decided that if i could work out how things discover the users and roles from the request, i could work out how to manually set those things.

and

Is there a way to set these values in code on user login, and thus fool the various struts mechanisms?
 
reply
    Bookmark Topic Watch Topic
  • New Topic